Today i watched a spammer trying to deliver his spam using multiple hosts.

Well, they don’t really get smarter, they just put in more effort.

If he would be smart, he wouldn say hello each time with rnddg[2].rnddg[2].rnddg[2].rnddg[2] (literally, not random digits…)

I can’t say for sure that this is the same spammer, this account seems to get a lot of spam. But the timeframe and the rnddg stupidity suggests this is the same idiot. Only the first attempt used an email address made up from the reverse lookup, all other were probably from their database.

First attempt at 01:08:26 from an AOL IP, using the AOL hostname both for HELO and for sender. Rejected due to dynamic ip range listing.

Second attempt at 01:08:31 from host-$IP.midco.net rejected due to invalid helo.

Third attempt at 01:08:34 from $IP.fl.comcast.net blocked due to dynamic ip listing.

Forth attempt at 01:08:37 from an unknown IP (Oklahoma Office of State Finance) - blocked again due to the rnddg stuff.

Fifth attempt at 01:08:42 from another AOL IP, blocked due to dialin IP.

Sixth attempt at 01:08:46 from some charter.com address. blocked using dialin IP range again.

Seventh attempt at 01:08:49 from some cinci.rr.com address. Again dialin block.

Eigth attempt at 01:09:01 from dialup.*.ev1.net - dialin IP block.

Ninth attempt at 01:09:17 from cura.net, again dialin IP block.

Tenth attempt at 01:09:30 from unknown IP (charter-net). RBL block.

01:09:32 - some spam from a different spammer made it through using some charter.net IP without reverse lookup and got 28.9 Hits in SpamAssassin.

Eleventh attempt at 01:09:47 from .ppp.*.epix.net - dialin block.

Twelvth attempt at 01:10:43 from dial.plus.net - dialin block.

Thirteenth attempt at 01:11:16 from dial-up.net - dialin block.

Foureenth attempt at 01:11:19 from .va.comcast.net - dialin block.

Fifteenth attempt at 01:11:23 from unknown IP (rr.com) - helo rejected.

Sixteenth attempt at 01:11:27 from swbell.net - dialin block. (not rnddg)

Seveneenth attempt at 01:11:30 from chello.nl - dialin block. (not rnddg)

Eighteenth attempt at 01:11:33 from .mi.comcast.net - dialin block. (not rnddg)

Nineteenth attempt at 01:11:37 from east.verizon.net - dialin block. (not rnddg)

At 01:11:41 another spam made it through from rr.com, scored 7 hits in SpamAssassin.

Another - probably different - spam attempt is made at 01:17:33, the next at 01:53:20. At 02:09:21 another mail comes through and scores 9.7 hits.

So this spammer took like 15 tries, immedeately followed by one taking 5 tries to find a zombie i do not block. And even the mails that did make it through (most probably mails by other spammers) got eaten by spamassassin.

Please never complain to me again for not accepting mails from dialup lines. If you are dialup, find a trustworthy mail server you can use smtp-auth on.